Monday, March 21, 2011

Top 5 Misconceptions about ClamAV

Millions of people manage ClamAV installations everyday, and the millions of users protected by those installations reap the benefits of its protection engines as their first line of defense against malware threats. ClamAV is deployed inside numerous global ISPs, national telcos, hosting providers, and is utilized by numerous AV gateway vendors like Barracuda and OS vendors like Apple. Without specifically counting all the installations, it’s a pretty easy guess that ClamAV probably has the largest email AV presence in the entire world. I’d even go as far as saying it’s the de-facto standard in gateway AV technology. The main reason for this, based on feedback, is that ClamAV is easy to deploy, works with just about all the MTAs (Sendmail, PostFix, etc), provides pretty darn good protection, is easy to customize, and it’s cheap, heck it’s free.

Whenever I talk to people about ClamAV I always hear the same thing - great mail gateway AV, easy to setup, easy to customize, and it just works. I also always hear the same misconceptions. I think the price of being an ubiquitous technology is people think you do one thing, do that thing really well, and whatever that thing is, you still do it the same way and never evolve. This always leads me to long conversations about things people just don’t know about ClamAV - its engine, the technology, and the people who build it.

The Top 5 Misconceptions about ClamAV:

It’s only a Mail Gateway Scanner.
ClamAV is actually a framework. At the core of that framework is what we call libClamAV, this is where all the actual detection happens. This library can be used anywhere that can link to it, so if any application wants to use the power of ClamAV and its detection capabilities the application just needs to link against it. The rest of the framework is all the supporting applications that ClamAV comes with for connecting and running ClamAV in different settings. For instance the ClamD service allows for fast full system and single file scans, clamscan allows for simple on-demand scans, ClamAV-Milter allows for simple integration with MTAs, and freshclam handles keeping everything up to date.

This framework concept makes plugging ClamAV’s detection capabilities into any application really easy and is one of the main reasons ClamAV is used everywhere.

It’s just a bunch of Open Source hippies writing code in their spare time.
Sourcefire acquired ClamAV in 2007, and retained the entire ClamAV team, eventually the ClamAV team became part of the VRT. These guys are top notch, and do one hell of a job banging out code for ClamAV. The ClamAV feature set has not remained static. On the contrary, in 2010 alone these guys cranked out 6 feature-packed releases, adding tons of new detection features, optimizations, and signature language improvements. On the release front, to put it in context, commercial AV products in the enterprise space get released once every 1 - 2 years.

On top of that we crank though 100s of thousands of new malware samples every day with our automated sandboxes and malware evaluation systems. If you think ClamAV is just an Open Source project, without the same type of systems, data feeds, and technologies in the back office that other AV vendors have, you’d be grossly underestimating our capabilities.

Additionally, the VRT is well known for kicking ass, taking names, and chewing bubble gum in 3rd party validation tests like NSS (where we have consistently come out on top). This industry excellence isn’t limited to Sourcefire’s IPS.

ClamAV only has a simple content based signature language.
The ClamAV detection engine is multi faceted - heuristics, support for numerous archivers (Zip,Rar,OLE,etc,etc), tons of unpacking support (UPX, PeTite, NSPack, etc), and several different content inspection engines. These content inspection engines range from the simplistic (basic hashing signatures), to the extremely complex (ByteCode engine). In the middle are numerous content matching signature types that support everything you would expect from wildcards, character sets, Boolean logic, and negation. Support for PDF files, Javascript, and HTML files is also included in the engine, along with Mach-O binary support for all the shinny Apple devices out there. With all that support the ClamAV detection engine has everything necessary to detect today’s malware threats, exploits, adware, Trojans, spyware, keyloggers, and much more.

Sometimes detecting those threats requires some real heavy lifting. If that’s the case, the ByteCode engine allows a signature writer to do just about anything they can imagine. Need to implement a quick unpacker for that new piece of malware? Easy. Need to implement a new archiver to unpack something unique? Trivial. Have to do something complex with PDF files? No problem.

The other great thing about ClamAV is that the signature language is open, easy to use, and anyone can add new signatures to their ClamAV installs. If you’ve got something you need to do, and you need to do it now, cause your boss told you to, or the world is ending, it’s pretty darn simple to write your own signatures and add them to your setup.

Also we’ve got some pretty aggressive new features heading out for 0.98 later this year. More on those in the next blog post.

ClamAV only runs on Unix.
ClamAV has traditionally supported just about every Unix variant on the planet, but as a fully integrated engine in Immunet Protect 3.0 (http://www.immunet.com/), we’ve moved to officially supporting Windows. If you’d like to learn a bit more about Immunet and ClamAV on Windows check out the other posts on the ClamAV blog here.

Immunet Protect adds some additional detection capabilities on Windows platforms including but not limited to:

Community based protections - Share protection with other members of your Immunet community.

ClamAV just can’t be as good as a commercial AV engine, it’s Open Source.
This perception doesn’t surprise me anymore, it’s something we’ve had to deal with since the early days of Snort. There are still a lot people out there that truly believe if it’s a commercial product it’s better than an Open Source product. Normally, this is where the Open Source guys trot out the hundreds of examples of solid Open Source software that have proven they are as good, or better, than commercial offerings. Let's just start with DNS, just about every look up for any Internet request, such as a website, starts out with a DNS query, and those DNS queries are predominately answered by BIND, a solid Open Source Nameserver. Then it’s pretty easy to say MySQL or PostgreSQL run a large portion of your favorite Internet destinations. This list could probably go on for hundreds of paragraphs, just naming all the really excellent Open Source tools that compete for market share with commercial offerings every day.

At the end of the day, though, it’s really not about market share. When you try and compare commercial and Open Source solutions, it’s about effectiveness in solving the problem you, the end user, have. To draw a corollary with Snort, it’s all about detection of the latest network threats. If Snort doesn’t do this correctly, it definitely won’t solve the problem people are expecting it to solve. The only real way to get a handle around this is third-party testing and evaluation, and Snort has done exceptionally well in this area, earning honors for best overall detection at NSS two years running, and certified by ICSALabs in their IPS testing methodology.

When it comes to third-party evaluation of ClamAV, there are a couple of tests to look at. MRG did a third-party evaluation of Immunet Protect (uses ClamAV as one of its engines) where it outscored 15 other leading AV vendors and was the ONLY product that had a 100% detection rate. Additionally, ShadowServer does daily evaluations of numerous AV technologies; while ClamAV doesn’t come in number one, we do beat out numerous commercial AVs on a daily and yearly basis. Here are the stats for the last year: http://www.shadowserver.org/wiki/pmwiki.php/Stats/VirusYearlyStats.

I always find that after going over the above, people have a new outlook on what ClamAV does, how it works, and what it’s capable of doing. In addition, I always find it interesting that lots of people just don’t know that ClamAV is developed by Sourcefire, and that the ClamAV engine, signatures, and infrastructure are all part of the VRT. I guess that is the problem with technology that “just works,” if it is “just working” then people just keep running it, and don’t spend much time thinking about it. Just like no one ever thinks about all the technology in the power grid, because when you flip the light switch it “just works.” The VRT will try our best to keep it that way for the millions of people the ClamAV technology protects, because “just works” is a pretty excellent label in my opinion. Hopefully, now that you’ve read this article, when you think about “just works” you’ll also think about how ClamAV is way more than just a simple AV mail gateway scanner.

8 comments
:

Very interesting. Regarding "...as a fully integrated engine in Immunet Protect 3.0, we’ve moved to officially supporting Windows," how does that jive with the product supported sourceforge.net/projects/clamav? Particularly the files under projects/clamav/files/clamav/win32/ (the latest 0.97 as of Feb 7, 2011) which look remarkably like the win32 port that's been around for a long, long time?? Some files look like they're for 64 bit support, too. What's the SourceForge Immunet SourceFire Connection? (And no, I'm not confusing any of this with ClamWIN.)